The titles slapped on government reports are often meant to downplay or obfuscate. Not so the title of a report from the Inspector General of the Department of Homeland Security – CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data.
The title may be lengthy, but it describes the alarming extent of lawless surveillance by federal agencies. For years, these three agencies freely accessed Americans’ location histories and other data collected from mobile device applications and sold by third-party data vendors to the government.
The Department of Homeland Security Privacy Office itself “did not follow or enforce its own privacy policies and guidance.” The report notes that DHS itself has no department-wide policy regarding privacy. This negligence allowed DHS agencies to break the law and do so without any supervisory review.
The law in this case is the E-Government Act of 2002, in which Congress mandated that agencies conduct a Privacy Impact Assessment (PIA) that requires the government to spell out what information it is collecting, why it is collecting it, how that information will be used, stored, and shared. The law also requires agencies to describe how this information will be protected from unauthorized use or disclosure, and how long it will be retained.
Instead, CBP, ICE, and the Secret Service helped themselves to location data harvested from apps installed on Americans’ smartphones. One CBP official felt sufficiently comfortable with this technology to use it to track his coworkers’ daily movements, for what purpose only HR knows.
Why might have DHS leaned away from adhering to the law? Nate Wessler, deputy project director of ACLU’s Speech, Privacy and Technology project told 404 Media that if the agencies had performed the required Privacy Impact Assessments “they could have reached only one reasonable conclusion: the privacy impact is extreme.”
The unclassified DHS report is a thunderclap of candid accounting of government agencies bending or breaking the law. It follows the unsparing analysis of the Crossfire Hurricane investigation by the 2019 Department of Justice Inspector General and PCLOB’s recent analysis of Section 702 of the Foreign Intelligence Surveillance Act, advocating for greater judicial oversight of that program’s use of Americans’ communication “incidentally” caught up in surveillance of foreign targets.
The DHS report should especially be read in the light of a surprisingly frank report released by the Office of the Director of National Intelligence that commercially acquired data can be used to follow protestors, degrade First Amendment expression, and “facilitate blackmail, stalking, harassment, and public shaming.”
The DHS report is just one more reason why Congress should take the pending reauthorization of Section 702 as a once-in-a-generation opportunity for reform. Congress should require federal agencies to obtain a probable cause warrant before examining Americans’ communications and data, whether obtained from Section 702 or through data purchases.